[Snort-sigs] multiple ip_proto rule
Chris Green
cmg at ...435...
Tue Aug 13 13:49:03 EDT 2002
Andreas Östling <andreaso at ...58...> writes:
> On Tue, 13 Aug 2002, Brian wrote:
>
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC \
>> Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
>> ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; \
>> classtype:non-standard-protocol; sid:1620; rev:2;)
>
> Isn't this what "allowed_ip_protocols" in spp_conversion is supposed to
> do (when finished)?
Yes. I should finish it. I was trying to ask what he was looking for
:^).
Actually, I should fix both :^)
--
Chris Green <cmg at ...435...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-sigs
mailing list